Skip to content

Azure Storage Data Encryption with Customer Provided Keys

Jump to bottom
Mohit Sharma edited this page Apr 13, 2021 · 1 revision

Introduction

Azure Storage automatically encrypts all the data persisted in the cloud using 256-bit AES encryption regardless of performance tier (standard or premium), access tier (hot or cool), or deployment model (Azure Resource Manager or classic).

Data in a new storage account is encrypted with Microsoft-managed keys by default. You can continue to rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys. There are two options for that -

  1. Using Customer Managed Keys for encrypting and decrypting data in Blob storage and in Azure Files.

    • You can either create your own keys and store them in the key vault or you can use the Azure Key Vault APIs to generate keys.
    • In this case, your REST requests against Azure Blob storage or Azure File have the option header to provide name of encryption scope with which you wish to encrypt/decrypt data with.
    • You can use this feature in AzCopy by using the flag --cpk-by-name="name-of-encryption-scope-to-use"
    • AzCopy supports cpk-by-name flags for both copy and sync operations.
      • azcopy copy/sync "{source}" "{destination}" --cpk-by-name="testblobscope01"
      • Source and destination can be either Azure Blob Storage, Azure File Storage, or Local File System.
    • Refer this to enable customer-managed keys for a storage account.

  2. Using Customer Provided Keys for encrypting and decrypting data on Blob storage operations.

    • In this case, your REST requests against Azure Blob storage have the option to provide an AES-256 encryption key along with every request. See this.
    • You can use this feature in AzCopy by using the flag --cpk-by-value=true. You are required to set CPK_ENCRYPTION_KEY and CPK_ENCRYPTION_KEY_SHA256 as environment variables which AzCopy will fetch at runtime.
    • AzCopy supports cpk-by-value flags for both copy and sync operations as well.
      • azcopy copy/sync "{source}" "{destination}" --cpk-by-value

Use Cases

  • Upload from Local File System to Blob Storage/File Storage: When either of cpk-by-name or cpk-by-value flag is provided for upload scenario, the destination will get encrypted.
  • Download from Blob Storage/File Storage to Local File System: It is assumed that source is encrypted. AzCopy uses the values provided in the flag is for decryption purposes.
  • For Service-to-Service transfer between Blob Storage/File Storage to File Storage/Blob Storage respectively: It is assumed that source is not encrypted. In case, the source is encrypted by customer provided keys/customer managed keys, we cannot perform service to service transfer. This comes as a limitation to service.
Clone this wiki locally